“You realize I’m only here for the coffee,” Bryan says as he settles into his seat.
“Oh, c’mon,” I say. “You like being with friends.”
“The conversation is more intelligent that what I get from the users at work,” he admits. “Now explain what this week’s topic is.”
“Why am I important?” I ask him.
He blinks at me.
“No, seriously,” I say. “That’s what everyone says these days about passwords and locking down accounts and stuff. ‘I’m not that important’ or ‘I’m a nobody, so why should I worry about computer security and all that?’”
“What’s your credit score?” Bryan asks.
This is a number I’m actually very proud of. Sam and I have worked hard to get it as good as it is and keep it there. “High 700’s, low 800’s,” I say.
“Uh-huh. And who are you? In the grand scheme of things?”
“You’re a nobody, right? You’re not that important.”
It stings that he said that, but it is true. “Well, yeah….”
“If I’m a bad guy, I could use your information to open some new accounts of my own, then max them out before I get caught. What people don’t understand is how identity theft works: It’s just like breaking into a house – I don’t give a damn who you are, all I care about is what I can steal and use for my own ends. Your laptop I might be able to pawn for a fifty bucks or so, which isn’t much, but it’s enough to maybe get what I really want, like drugs or some other crap.”
“But most thieves don’t know my credit score,” I point out. “Why would they come after me?”
“Well, if you act like Joe-Dumbass who doesn’t secure his house, you’re an easy target. If I discover my target has unexpected valuables after I get into his house, that’s just a bonus.”
“But the bad guys go after big targets, don’t they?”
Bryan rolls his eyes. “Okay. The Big Bad Guys go after the big game like organized crime going after places like WalMart. Remember Target? Or the government Office of Personnel Management breach?”
I wait for an explanation and don’t get one. “What the hell does that mean?”
Bryan sighs. “Big data breaches make the big headlines in the news, but it doesn’t lay out how things actually work. Jobs like the Target hit are most likely organized crime hits. The joke that organized crime is the most disorganized syndicate there is isn’t valid in the world of data – they are very organized and they have a very well-oiled system. A bit like a chop shop, in most cases. Smart thieves don’t sell the stolen car whole – they part it out. Five accounts here, 10 accounts there, a bundle of a hundred or even a thousand if you have the buying power. Big shops go after big targets expressly to get the little guys like you and me because we don’t have the money to chase them down and retaliate.”
“But the big target does.”
“The big target business wants a return on investment,” Bryan corrects. “They want maximum results for minimum payout. That means they hand over evidence to inspectors, conduct a review of their own policies, try to tighten up their security holes and move on. They’re not going to go after the Big Bad Guys because it’s an international chase in most cases and they won’t get their money back. Better to just take your licks and try to fix what you screwed up so it doesn’t happen again.”
“But what about the OPM thing? That wasn’t organized crime, was it?”
Bryan nods. “No. But governments look for other things – They’re looking for files for government ops or intellectual property or even things like who’s about to go bankrupt, who’s got a porn fetish, who’s recently divorced. They combine that data they get from OPM with other data they’ve picked up to figure out who and how to cultivate assets. ‘Ah, Joe Smith is in the OPM files. We have data on another Joe Smith who has the same mailing address and a porn fetish. If we upload some videos to his favorite site with some malware attached, we might be able to snag access into his computer. Bonus points if he’s being extra stupid and using a government computer.’”
“You think the Chinese government uploads porn to infect computers?” You have got to be kidding me. I never thought of Bryan as a card-carrying member of the Tinfoil Undies crowd.
“Why not? The intelligence community is always running sneaky jobs in places no one thinks about. Some are better at it than others, but the idea is to identify a soft target and take advantage of it in order to get to the bigger prize. ‘Joe Smith’ could be a nobody – some twit file clerk on a base somewhere, but what he has access to might be something bigger. Or he could be manipulated into supplying that access.”
He swirls his coffee cup around, his hand over the top of the cup and his wrist turning in lazy circles. “But the theft of personal identifying information – PII – by little guys on anyone they can get to has been going on for years. Once they used to go through your trash to gather data, now they just have to sit in a parking lot with a sniffer riding the local wi-fi hotspot.”
“Oh, good lord,” he mutters. “Let’s take the library as an example. No one worries about cars that are sitting in that parking lot all day, because cars come and go and people wait in their cars for other people or something like that. ‘Hey Bob, we’ll meet at the library parking lot and go from there,’ right? With the right equipment – like an old laptop and free or stolen software – I could sit in that parking lot and pick up banking passwords, usernames, and all kinds of crap. That wi-fi connection isn’t secure at all, but people do their banking there all the time.” He sips at his coffee.
“So don’t go to the library,” I say.
“Don’t go anywhere the network isn’t secured,” Bryan amends. “Like a chiropractor I used to see. I found out they used a wireless keyboard which doesn’t sound bad until you put a few clues together – Wireless keyboards aren’t encrypted. They send each and every keystroke in the clear, just like your phone does. Using the same equipment as the library example – and some of it can run on a smartphone – I can gather up all kinds of information. I can even get in through the computer’s bluetooth that reads the wireless keyboard and access files directly on the hard drive. My chiropractor didn’t think it was a big deal – ‘I’m not important like a big business’ he said. He changed his tune when I pointed out a few things like medical records and insurance billing information. If it all goes through that keyboard, well, a bad guy can pick all that up, sort it out, then use the insurance information he picked up to go to a clinic and get a prescription of Oxycodone. Now, suddenly, my health insurance has a record of me taking Oxy, when I’ve never taken it before in my life. That may not sound bad until they wonder why I’m going to 2 different clinics and getting prescriptions for wildly different things. Then they start sending up red flags for drug abuse and insurance fraud – which is a bitch to clear up and a huge waste of my time. And the issue is more of a pain because of HIPAA. Now that my health records have been compromised, I can’t get access to view them without a court order because I could be violating someone else’s privacy by viewing the shit they claimed on my file.”
“You’re shittin’ me,” I say. “You can’t look at your own file?”
“Not after it’s been compromised like that. It’s a HIPAA privacy violation because I could be seeing someone else’s health problems. The fact that they violated mine doesn’t even matter in the eyes of the law. I have to prove that I’m the victim and go through years of red tape to do it. According to the insurance company, I’m the bad guy even though I’m the victim.” Bryan shakes his head. “And yet, I’m still a nobody.”
“A nobody with insurance.”
He touches his nose. “Exactly. Getting caught in a child porn case is a little more messy, but still a pain in ass.”
“Child porn?” I ask.
“Well, yeah. If good neighbor X doesn’t have his wi-fi secured, a bad guy can use it to cruise the internet and download or upload whatever the hell he wants. The cops will confiscate the good neighbor’s computer because it was his wi-fi. It will take them a while to figure out he didn’t do those things, maybe even weeks. But if the bad guy notices the cops and he’s smart, he’ll scrub his computer and maybe even try to ditch it and move before anyone puts 2 and 2 together. In the meantime, good neighbor X has to go through the ringer and maybe even has his reputation stained to his neighbors and coworkers because of all the questions the cops ask.”
I suddenly feel very insecure. The coffee shop we’re meeting at doesn’t have a secure wi-fi because… well… it’s a business model. Come for the coffee, stay for the wi-fi, buy a few snacks while you’re here.
Bryan sees me shift in my seat as I glance around. “Uh-huh,” he says. “When I came in, I noticed three people on laptops, 2 definitely doing business on them, 1 of them conducting a meeting and using one of those charge card squares you can connect to your phone. Another 4 people were working on their phones – anything from a social media update to a banking check on one of their accounts. Passwords and data are floating all around us. It would be dirt easy to get the gear, install it on my phone or laptop, and set up camp, right here, plucking all the data I need to steal someone’s information out of thin air.” He chuckles.
“What?” I hate it when laughs like that – it’s creepy, and it makes me think about the things he or Sam could do without expending a lot of effort.
“It just occurred to me that the phrase ‘thin air’ is a misnomer now. The air isn’t thin, anymore. It’s fat with data, obese with it. There’s so much floating around in this shop right now it’s a wonder more people don’t take advantage of it. There’s all these ‘lose weight’ scams for physical bodies, but no one realizes just how much bigger each and every one of them is in the ether, and almost no one tries to secure their data – effectively the mass of everything they are. Someone skims off an ounce here, a gram there – it’s no big deal until your life goes to hell because someone took you for every bit of data you had.”